public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Michael Köppl" <m.koeppl@proxmox.com>
To: "Jakob Klocker" <j.klocker@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Re: [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates
Date: Thu, 09 Jul 2026 14:48:32 +0200	[thread overview]
Message-ID: <DJU1WB7AQXN0.2404KSFDPEEMH@proxmox.com> (raw)
In-Reply-To: <20260528113505.12961-1-j.klocker@proxmox.com>

Thanks for these patches! Gave this a quick spin by creating a new user
and assigning the now more specific permissions.

- Checked that assigning the CertManager Role to the new user for path
  /nodes/<node>/certificates was possible through both the UI and pveum
- Checked that the user then was able to view, upload, and remove
  certificates for the nodes for which the path was added (and that it
  was not possible for other nodes)
- Checked that assigning the CertManager role for path /nodes/<node>
  still allowed the user to manipulate certificates
- Also checked that the user could not access any other functionality
  even if assigned a role with more privileges

The patches seemed to work as expected for me. I also had a look at the
code and the changes look simple enough and good to me. I quickly
checked if any other parts of PVE might be affected by these changes,
but I don't think that's the case.

Consider this:
Reviewed-by: Michael Köppl <m.koeppl@proxmox.com>
Tested-by: Michael Köppl <m.koeppl@proxmox.com>

On Thu May 28, 2026 at 1:35 PM CEST, Jakob Klocker wrote:
> Managing node certificates currently requires broad /nodes/{node}
> permissions, which violates the least-privilege principle. This
> series adds /nodes/{node}/certificates as a dedicated ACL path and
> moves the relevant permission checks onto it, so certificate
> management can be done without granting node-wide rights.

[snip]




      parent reply	other threads:[~2026-07-09 12:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-28 11:35 [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Jakob Klocker
2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path Jakob Klocker
2026-07-09 12:48 ` Michael Köppl [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJU1WB7AQXN0.2404KSFDPEEMH@proxmox.com \
    --to=m.koeppl@proxmox.com \
    --cc=j.klocker@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal